ClawHub

Claude Code Changelog Monitor

Security checks across malware telemetry and agentic risk

Overview

This release monitor does its stated job, but it can send Telegram messages to a built-in bot/chat destination before the user configures their own credentials.

Review before installing. Remove the hardcoded Telegram bot token and chat ID, require your own TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID, avoid running setup.sh until it no longer auto-sends, and only enable the cron job after confirming where alerts will be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs users to execute local shell scripts and perform networked system actions, but the manifest shown in SKILL.md does not declare corresponding permissions or capabilities. This creates a transparency and consent problem: a user or platform may treat the skill as lower-risk than it actually is, increasing the chance of unintended code execution or network activity.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The documented purpose is release monitoring and Telegram alerting, but the analyzed behavior includes additional high-sensitivity actions such as downloading and extracting package tarballs, calling external APIs, persisting extracted contents, and reportedly including default Telegram credentials. Hidden or under-disclosed behavior increases supply-chain and credential-risk exposure because users may authorize the skill without realizing it stores data locally or may transmit data using embedded secrets.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script claims to monitor releases and send alerts, but it also downloads and extracts the npm package tarball to disk. That expands the skill's behavior beyond simple monitoring, increasing supply-chain and storage risk because untrusted package contents are fetched and unpacked locally without integrity verification or user opt-in.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a default Telegram bot token and chat ID, giving it immediate outbound messaging capability even when the user has not configured credentials. Hardcoded live credentials are dangerous because they can be abused by anyone with access to the code, and they enable data exfiltration or unauthorized messaging to a fixed recipient.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to store a Telegram bot token and chat ID in a plaintext file under the home directory, but provides no warning about token sensitivity, file permissions, backup exposure, or accidental disclosure. While documentation alone is not active exfiltration, persisting bot credentials locally without security guidance increases the risk of credential leakage and unauthorized bot use.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The documentation says alerts are sent to Telegram and shows credentials stored in a local config file, but it does not present a clear user-facing warning about data transmission, what exact content is sent, and the sensitivity of stored bot credentials. That omission can lead users to expose release/diff data or mishandle reusable bot secrets without understanding the privacy and security implications.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded Telegram bot token is a credential exposure vulnerability. Even if intended for convenience, embedding the token in source control leaks secret material and allows unauthorized parties to send messages as the bot or repurpose the token for other actions supported by the Telegram Bot API.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal